五、新型說明: 【新型所屬之技術領域】 本創作係關於一種儲存裝置’尤指一種保全式儲存裝 置及資料保全系統。 1 【先前技術】 隨著電子裝置整合功能日盈多樣化,對於内部記憶體 容量的需求也不斷增加。快閃記憶卡為一種廣泛應用的儲 存裝置’其採用#揮發性記憶體儲存資料,具備小型化體 積、低功耗、穩定且快速的讀取逮率,多種電子裝置均利 用這種儲存裝置來擴充記憶體容量。 儲存裝置内部的數位資料若具有機密性質,或受到版 權保護,則須藉由保全程序限制使用者的存取權限,避免 資料被修改或隨意複製散播。 一般儲存裝置的保全方法包括下列兩大方式。第一種 方式為加密保全資料’儲純置與主機具有_的金输, 透過兩者對残進行交互驗證後,再對加密資料進行解 ^由主機輸出實體㈣。第二财式則為驗證主機與儲 子裝置的識別碼’以確魅機對儲存t置的存取權限 過驗證之後,再由主機存取保全資料。 資料加密及身分驗證雖可提供基本保護, 生不斷提高,使㈣全資料遭受破解,^ f的風險«之提高’而損害㈣所有人的智慧t衣 隱私曝光風險。因而強化保全資料的驗證機 M380519 同時,現有資料保全機制中M 榷限’便無法查詢内部儲存明細。—旦者不具備存取 裝置數量太多而善加分類管理,將:戶^擁有的儲存 儲存内容,造成使用困擾。、、識每一裝置内部 本案創作人有鑑於此,從 提升儲存裝置的適用性,並強二:=,期藉由本案 供使用者端更翻關全鱗。、置的保全功能,提 【新型内容】 因此,本創作之主要目 置及資料保全系統,其藉由將記憶= =全式儲存裝 存空間與-開放儲存空間,分別儲、=为為-隱藏儲 表’開放儲存空間可被自由存取以料及槽案配置 直接連接存取加密資料,_由主細,但無法 ,序二取得讀寫授權後,隱藏儲存二軟體完成驗證 提升貧料儲存裝置之適二B 。接收存取,係可 製散播。 亚杜絕資料被任意修改與複 料保全系統’其藉由主全式儲存裝置及資 完成驗證料,並管理:輸取^置共同 本創作之又-目的在貝料保全層級。 :保:系統’其藉由記錄隱藏儲存二=存裝置及資 達到一預设極限值時,禁止隱 H欠數,以於 可進一步保障資料安全。%、:予空間被繼續存取,係 料保t創作之再—目的在於提供一種保全式儲存裝置及資 'd 系、先,其藉由提供一授權s忍證晶片,整合認證授權 、加密/解密模組及隱藏儲存空間,隔絕一般主機察覺 隱藏儲存空間之資料,係可周全保障資料安全。./丁、 mi達上述目的,本創作係揭示—㈣全式儲存裝置, 體3Γ用於與—主機資料連結,此主機係絲有-管理軟 保全=保全式儲存裝置共同執行一驗證程序。所述之 讀寫㈣f裝置包括—記憶體模組、—認證授權模組、一 儲存加密/解密模組。記憶體模組包括-隱藏 加密# 存空間’隱藏儲存空間係配合儲存- 宰儲存空間係配合儲存一槽案配置表,此幹 —㈣錄加”料之贿位置及屬性。認證授權ί 產配合管理軟體執行驗證程序= 之要求:=::===權,應主機 加密/魅金出寫入命令。 間^^組耦接於隱藏儲存空間及讀寫控制模电之 後,經讀寫控制模組輸出至主機,及:料解密 案配置表。根據_储存空間之資料異動,更新槽 本創作更揭示一種資料俘八 全式儲存I置。主機 有王::、·、,包括—主機及-保 證程序。保全式儲理軟體’用以執行—驗 體模组、-認證授嶋、包括-記憶 男舄控市丨]板組及一加密/解密 M380519- 模組。記憶體模組包括一隱藏儲存空間及一開放儲存空 間,其中隱藏儲存空間係配合儲存一加密資料,開放儲存 空間係配合儲存一檔案配置表,此檔案配置表係記錄加密 資料之儲存位置及屬性。認證授權模組係用以與主機資料 連結,配合管理軟體執行驗證程序,以產生一讀寫授權。 讀寫控制模組根據讀寫授權,回應主機之要求,對隱藏儲 存空間下達一讀出命令及一寫入命令。加密/解密模組耦接 於隱藏儲存空間及讀寫控制模組之間,用以回應讀出命 令,將隱藏儲存空間之加密資料解密後,經讀寫控制模組 輸出至主機,及回應寫入命令,接收主機輸出之一外部資 料加密後,儲存於隱藏儲存空間,其中讀寫控制模組並根 據隱藏儲存空間之資料異動,修改檔案配置表。 於一具體實施例,所述之隱藏儲存空間係儲存有該讀 寫控制模組對隱藏儲存空間之讀寫次數,當讀寫次數達到 一預設極限值時,讀寫控制模組係取消讀寫授權,禁止主 機存取隱藏儲存空間。 於一具體實施例,所述之保全式儲存裝置更包括一授 權認證晶片,認證授權模組、加密/解密模組及隱藏儲存空 間係整合於授權認證晶片上。 以上之概述與接下來的詳細說明及附圖,皆是為了能 進一步說明本創作為達成預定目的所採取之方式、手段及 功效。而有關本創作的其他目的及優點,將在後續的說明 及圖式中加以闡述。 6 M380519 【實施方式】 本創作提出一種保全式儲在 全式儲存裝置提供安全的===全系統。保 次^ 乂主要特點係將檔案配置表及經過加穷的本邮二安 貧料分別儲存於不同儲存空間,以接二 ^細’但無法直接連結柿實職 提供^ 適用的周全保障。 寸时了挺供更為V. New description: [New technology field] This creation is about a storage device, especially a security storage device and data security system. 1 [Prior Art] As the integration function of electronic devices is diversified, the demand for internal memory capacity is also increasing. Flash memory card is a widely used storage device. It uses # volatile memory to store data, with small size, low power consumption, stable and fast read rate. Many electronic devices use this storage device. Expand memory capacity. If the digital data inside the storage device is confidential or protected by copyright, the user's access rights should be restricted by the security procedure to prevent the data from being modified or randomly copied. The general storage device preservation method includes the following two major methods. The first method is to encrypt the security data. The storage and the host have the gold input of _, and after the mutual verification of the residuals, the encrypted data is solved. ^ The host outputs the entity (4). In the second fiscal mode, the identification code of the host and the storage device is verified to confirm the access authority of the storage device. After the verification, the host accesses the security data. Although data encryption and identity verification can provide basic protection, students continue to improve, so that (4) full data is cracked, and the risk of ^f is improved and damages (4) the wisdom of everyone's privacy exposure. Therefore, the verification machine M380519 which strengthens the security data can not query the internal storage details at the time of the existing data security mechanism. Once the number of devices is not available, the number of devices is too large, and the classification management is used. In order to understand the applicability of the storage device, the creator of the case has to improve the applicability of the storage device, and the second is to use the case for the user to turn over the scale. The security function of the device, the new content] Therefore, the main purpose of the creation and the data security system, by storing == full storage storage space and - open storage space, respectively, = as - Hidden storage table 'open storage space can be freely accessed for material and slot configuration directly connected to access encrypted data, _ by the main fine, but can not, after the second read and write authorization, hidden storage software to complete verification to improve poor storage The device is suitable for B. Receive access, which can be distributed. Yaduo's data was arbitrarily modified and the restoration system was completed. The main storage device and the materials were used to complete the verification and management: the input and the joints were combined. The purpose of this creation was to maintain the level of preservation. : Guarantee: The system's use of the hidden storage storage device and the resource to reach a preset limit value prohibits the hidden H number, so that data security can be further protected. %, : The space is continued to be accessed, and the material is guaranteed to be created again. The purpose is to provide a security storage device and a 'd system, first, by providing an authorization s forcing chip, integrating authentication and authorization, and encrypting / Decryption module and hidden storage space, to isolate the general host to detect hidden storage space data, can fully guarantee data security. . / D, m for the above purposes, the creation of the Department revealed - (4) full storage device, body 3 Γ for the connection with the host data, the host system has a - management soft security = security storage device to jointly perform a verification procedure. The read/write (four) f device includes a memory module, an authentication and authorization module, and a storage encryption/decryption module. Memory module includes - hidden encryption # storage space 'hidden storage space is matched with storage - slaughter storage space is used to store a slot configuration table, this dry - (four) record plus material bribe location and attributes. certification authorization ί production coordination Management software execution verification program = requirements: =::===right, should be host encryption / charm gold out of the write command. The ^^ group is coupled to the hidden storage space and read and write control mode, read and write control Module output to the host, and: material decryption configuration table. According to the _ storage space data changes, update the slot creation to reveal a data capture eight full storage I. Host has king::, ·,, including - host And - guarantee procedures. Security storage software 'for execution - body test module, - certification license, including - memory man control market board" and an encryption / decryption M380519 - module. Memory module The utility model comprises a hidden storage space and an open storage space, wherein the hidden storage space is used for storing an encrypted data, and the open storage space is configured to store a file configuration table, wherein the file configuration table records the storage location and attributes of the encrypted data. The license authorization module is used to link with the host data, and cooperate with the management software to execute the verification program to generate a read/write authorization. The read/write control module responds to the request of the host according to the read/write authorization, and issues a read command to the hidden storage space. And a write command. The encryption/decryption module is coupled between the hidden storage space and the read/write control module, and is configured to respond to the read command, decrypt the encrypted data of the hidden storage space, and output through the read/write control module. To the host, and in response to the write command, the external data of the receiving host output is encrypted and stored in the hidden storage space, wherein the read/write control module changes the file configuration table according to the data of the hidden storage space. The hidden storage space stores the read/write control module to read and write times of the hidden storage space. When the number of reading and writing reaches a preset limit value, the read/write control module cancels the read/write authorization, and the host is prohibited. Accessing the hidden storage space. In one embodiment, the security storage device further includes an authorization authentication chip, an authentication authorization module, and The secret/decryption module and the hidden storage space are integrated on the authorized authentication chip. The above summary and the following detailed description and the drawings are intended to further illustrate the manner, means and functions of the creation for the intended purpose. Other purposes and advantages of this creation will be explained in the following description and drawings. 6 M380519 [Embodiment] This creation proposes a full-scale storage system that provides security in a full storage device ===. The main feature of Baoji ^ 乂 is to store the file allocation table and the postage of the poor postage in the different storage spaces, so as to be able to directly link the persimmons to provide the full protection. Very more for more
首先,請參閱第-圖及第二圖,分別為本創作 呆王糸統之—具體實施例之系統架構圖 立 圖。圖中’資料保全純10包括—保全式儲存裝置7〇思 一讀寫裝置30及一主機4〇。 、保全式儲存裝置20特別係指一快閃記憶卡,其規格可 為SD記憶卡(Secure Digital )、CF記憶卡 (CompactFlash)、MS 記憶卡(Memory Stick)、MMC 記慘First of all, please refer to the first and second figures, which are the system architecture diagrams of the specific embodiment of the creation. In the figure, the data security pure 10 includes a security storage device 7 and a read/write device 30 and a host computer. The security storage device 20 is specifically a flash memory card, and its specifications can be SD Memory Card (Secure Digital), CF Memory Card (CompactFlash), MS Memory Card (Memory Stick), MMC.
卡(MultiMedia Card)、SM 記憶卡(Smart Media)或幼 記憶卡(xD-Picture Card)等記憶卡種類。主機4〇為〜 電腦系統。讀寫裝置3〇則為一讀卡機,設有插槽3〇〇,以 接受保全式儲存裝置20插接,與其訊號端子電性連接,並 經由一傳輸線50耦接興主機40。讀寫裝置30内部設有處 理核組31 ’用以轉換訊號格式,使保全式儲存裝置2〇輿 主機40資料連結。 ” 按’此實例之資料保全系統10中,保全式儲存裝置 20係經由讀取裝置30間接與主機40資料連結。於其他實 7 施例,假如主機具備讀卡機功能,則保全式儲存裝置可 接插接於主機之記憶卡插槽。 主機40係安裝有一管理軟體41,用以連結保全式儲 存裝置20,共同執行身分驗證與資料存取。管理軟體41 包括一驗證模組42及一資料處理模組43,其中驗證模級 ^係與保全式儲存裝置20共同執行驗證程序,資料處理 板組43則為存取保全儲存裝置2〇的介面。管理軟體 將使得資料安全?—層保障。 保全式儲存裝置20包括一記憶體模組21、一讀寫控 ^換組22、—加密/解密模組23及一認證授權模組24。記 十思體模組21包括一隱藏儲存空間211及一開放儲存空間 藏儲存空間212係配合儲存一加密資料,開放儲存 空,以1係配合儲存一檔案配置表,此檔案配置表係記錄 加役貧料之儲存位置及相關屬性。 —進、,步兒明上述特點。一般槽案系統是由槽案配置表 κ田木資料區塊共同組成,檔案配置表為每一檔案的 置資料(或稱索引節點,index node),記載檀案個別屬 性(例如:檔案類型、檔案擁有者、所屬群組帳號、檔案 ^核=、槽案大小、建立時間等)與指向實體資料存放 品鬼曰‘(P〇inter)。新建一個檔案會在記憶體内產生 =組貝料’包括槽案配置資料及實體槽案資料。每-樓案 句對應锊定編號(inode number)之檔案配置資料。恭 腦系統讀取槽安Φ α# 、 兒 %保木配置表,便可建立檔案目錄明細。 5己仏體极組21區分為開放儲存空間211及隱藏儲存空 埘柳519Memory card types such as MultiMedia Card, SM Smart Card, or xD-Picture Card. The host 4 is ~ computer system. The read/write device 3 is a card reader, and has a slot 3 port for receiving the security storage device 20, electrically connected to the signal terminal, and coupled to the host 40 via a transmission line 50. The read/write device 30 is internally provided with a processing core group 31' for converting the signal format, so that the security storage device 2 is connected to the host computer 40. According to the data security system 10 of this example, the security storage device 20 is indirectly connected to the host 40 via the reading device 30. In other embodiments, if the host has the card reader function, the security storage device The host software 40 is connected to the memory card slot of the host computer. The host computer 40 is provided with a management software 41 for connecting the security storage device 20 to perform identity verification and data access. The management software 41 includes a verification module 42 and a The data processing module 43 is configured to perform a verification process together with the security storage device 20, and the data processing board group 43 is an interface for accessing the storage device. The management software will make the data secure. The security storage device 20 includes a memory module 21, a read/write control group 22, an encryption/decryption module 23, and an authentication and authorization module 24. The memory module 21 includes a hidden storage space. 211 and an open storage space storage space 212 is used to store an encrypted data, open storage space, and a file configuration table is stored in a series, and the file configuration table records the service of the lean material. Storage location and related attributes. - Enter, and step by step. The general slot system is composed of the slot configuration table κ田木数据区, and the file configuration table is the data for each file (or index node). , index node), records the individual attributes of the Tan file (for example: file type, file owner, group account, file ^ core =, slot size, settling time, etc.) and pointing to the entity data stored in the ghosts' (P〇 Inter). A new file will be generated in the memory = group of materials - including the slot configuration data and the entity slot data. The file configuration information corresponding to the inode number is calculated for each sentence. Take the slot Φ α#, 儿%保木 configuration table, you can create the file directory details. 5 仏 仏 body group 21 is divided into open storage space 211 and hidden storage space 埘 519
間212 ’分⑽存财配置表及經過加密的實體播幸資 料,便可接受外部電腦自由讀取建立槽案目錄,以查詢儲 存明細,但無法直接連結存取實體财資料,須經由資料 保全系統10 成驗證程序,相合衫分,取得讀寫 權,才能建立財gi置表與加密㈣之關聯連結,讓 使用者對隱藏儲存空間212進行存取。 D 認證授權模組24用以與主機4〇資料連結,配合管理 軟體41之驗證模組42共同執行驗證程序,由兩端交握通 二,Γ讀寫授權’讓主機4Q取得存取權限。附帶一 驗:二C經由身分密碼驗證1置授權碼交互 ^ , 者存有一淼別碼,主機4〇具有另一$ μ ,端交換識別™方合法身分有:產=授 的讀!配合讀取保全式儲存裝置2。 讀寫楚置30六^有一振經過保全式错存裝置30血 儲存資握驗證此權限後,才允許讀寫裝置3〇存取 模組22為保全式儲縣 π亚為裝置通訊介面,其根據 。控制處理核 二枓處理模組42下達之要求 回f主機40 1出命令與—寫入命令。 存空間212下達 9 藏儲存空間212及讀 7,將隱藏儲存空間2 f '、’且22之間’用以回應讀出命 輪紐22輸出至主機4〇 :在、貧料解密後,經讀寫控制 外部資料加密後,健存;=令,接收主機4〇輸 項寫控制模組22 子於職儲存空間212,其中 新開放儲存空間二之資料異動,更 另外,資料保全系 212的存取狀況。於—呈 可進—步監控隱藏儲存空間 連結讀寫控制模組22根據理軟體41執行中,係 讀寫次數,於F塞藏、〇對隱藏儲存空間212的 U職錯存空間212内邱诸六七二 存取記錄達到-預設極限值時,建立一存取記錄,當 寫授權,禁止主彳t °貝舄控制模組22將取消讀 安全。 機4〇存取隱藏儲存空間如,以保障資料 上係以H组閣述本案特點 第三圖,本創作之保全式餘h # °月门守參閱 η 保王⑽料置之—具體實施例之硬體 架構二圖。圖係顯示保全式儲存裝置2()的簡明硬體架 構’包括-處理器25、一記憶體晶片26、一授權認證晶片 27及-傳輪介面28。傳輸介面28為裝置訊號端子組,用 以與讀取,置30之插槽3GG内部端子導通,傳輸資料訊 號。處理β 25為裝置控制處理核心,係實現讀寫控制模組 22功能,5己憶體晶片26提供記憶體模組21之開放儲存空 間211。隱藏儲存空間212、認證授權模組24、加密/解密 模組23則整合於授權認證晶片27上。所述之授權認證晶 片27為一多功能晶片組,一般稱為智慧卡晶片,主機4〇 唯通過驗證程序,始得以存取内部加密資料,可隔絕一般 主機察覺隱藏儲存空間2i2 級。 之所有資料,提升資料保全層 提供存ΐίΓΓΐ1 切存裝置及#料保全系統 間,分別儲亡2 /、有隱藏儲存空間與一開放儲存空 用性。n a 接存取加密資料,將提升裝置適 證程序主機之官理軟體與儲存裝置共同完成驗 可進一:二f存f間之讀寫次數以限制資料存取量,將 絕-般ί機二全。再者’採用授權認證晶片將可隔 係可提升=二===保障資料安全°故本創作 資料被任意修改與㈣。,亚確保制安全,杜絕 ) 隹’以上所述,僅為本創作的 及圖式而已,並非用以限制本創作,,、本=例之詳細說明 以下述之申請專利範圍為準,^之所有範圍應 作之領域内,可輕易思及之變化或;:=項技藝者在本創 案所界定之專利範圍。 …白可涵蓋在以下本 【圖式簡單說明】 第一圖係為本創作 系統架構示意圖,· 弟一圖係為本創作 連接狀態示意圖;及 之資料保全系統之一 之資料保全系統之一 具體實施例之 具體貫施例之Between the 212's (10) deposit configuration table and the encrypted entity broadcast information, the external computer can be freely read and created to query the storage details, but the direct access to the physical information cannot be accessed through the data. The system 10 is used as a verification program to match the shirts and obtain the right to read and write, so as to establish an association link between the financial table and the encryption (4), so that the user can access the hidden storage space 212. The D authentication and authorization module 24 is used to connect with the host computer 4, and the verification module 42 of the management software 41 cooperates to execute the verification program. The two ends are handed over to the second and the read and write authorizations are made to enable the host 4Q to obtain access rights. Attached to a test: 2 C through the identity password verification 1 set authorization code interaction ^, there is a screening code, the host 4 〇 has another $ μ, the end exchange identification TM party legal identity: production = grant reading! with read The full storage device 2 is taken. Read and write Chu set 30 6 ^ There is a vibration through the security type of memory device 30 blood storage capital verification to verify this permission, before allowing the read / write device 3 〇 access module 22 to preserve the storage π ya for the device communication interface, according to. Control processing core The requirements issued by the processing module 42 are returned to the host 40 1 to issue a command and a write command. The storage space 212 releases 9 storage spaces 212 and reads 7, and hides the storage space 2 f ', 'and between 22' to respond to the output of the output wheel 22 output to the host 4: after the poor material is decrypted, After the external data is encrypted by the read/write control, the storage is completed; the command is received by the host 4, and the input control module 22 is used in the storage space 212, wherein the data of the new open storage space 2 is changed, and further, the data security system 212 Access status. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ When the 672 access records reach the preset limit value, an access record is created, and when the write authorization is performed, the main control unit 22 is prohibited from canceling the read security. The machine 4 accesses the hidden storage space. For the purpose of ensuring the data, the third picture of the case is described in the H group. The preservation type of the creation is ##°月守守see η保王(10)Material - Specific Example The second diagram of the hardware architecture. The figure shows a compact hardware architecture of the security storage device 2() including a processor 25, a memory chip 26, an authorization authentication chip 27, and a transfer interface 28. The transmission interface 28 is a device signal terminal group for conducting and transmitting data signals with the internal terminals of the slot 3GG of the read and set 30 slots. The processing β 25 is the device control processing core, and the function of the read/write control module 22 is implemented, and the 5 memory chip 26 provides the open storage space 211 of the memory module 21. The hidden storage space 212, the authentication and authorization module 24, and the encryption/decryption module 23 are integrated on the authorization authentication chip 27. The authorized authentication chip 27 is a multi-function chipset, generally referred to as a smart card chip, and the host computer 4 can access the internal encrypted data only through the verification process, and the general host can detect the hidden storage space 2i2 level. All the information, upgrade the data security layer to provide storage ΐ ΓΓΐ1 storage device and # material security system, respectively, 2, hidden storage space and an open storage vacancy. Na access to the encrypted data, the upgrade device conforms to the program software host and the storage device to complete the test can be entered into one: the number of read and write times between the two f memory f to limit the amount of data access, will be absolutely the same machine all. Furthermore, the use of an authorized authentication chip will increase the separability of the system. =====Ensure data security. Therefore, the creation data is arbitrarily modified and (4). , Asia to ensure the safety of the system, to eliminate) 隹 'The above description is only for the purpose of this creation and the drawings, not to limit the creation, the detailed description of this example is based on the following patent application scope, ^ All scopes should be within the scope of the field, and can be easily thought of as changes or:: = the range of patents defined by the artist in this case. ... white can be covered in the following [simplified description of the schema] The first diagram is a schematic diagram of the architecture of the creation system, and the first diagram of the creation is a schematic diagram of the connection state of the creation; and one of the data security systems of the data security system is specific. Specific examples of the embodiments